Cybercriminals are going after millions of Facebook users by using a sophisticated Android Trojan app designed to bypass the two-factor authentication protection used by Facebook to shield its mobile users.

IT security firm ESET based in Slovakia has identified a new variant of a computer banking Trojan called "Qadars." The new variant injects rogue JavaScript code into Facebook pages when opened in a browser from an infected system.

The injected code generates a message telling users to download and install Android malware that will steal authentication codes sent to their mobile phones via SMS. The attacks, also known as "webinjects," are commonly used to infiltrate banking websites in order to steal log-in passwords and other personal financial information.

In the case of the current attacks on Facebook users, webinjects display messages instructing users to download and install malware or malicious applications on their mobile phones. The malware is disguised as a security app supposedly sent by a bank or financial institution.

In reality, these malware mobile apps are designed to steal mobile transaction authorization numbers (mTANs) and other one-time passwords sent by banks via SMS.

ESET said Qadars is a variant of an advanced Android Trojan called iBanking. Security analysts said the source code for iBanking was released on an underground forum. They warned that this development allows more cybercriminals to use this mobile threat in their cybercrime operations.

ESET noted that through its monitoring of the banking Trojan Win32/Qadars, it has witnessed a type of webinject that is totally new for them. This webinject uses JavaScript meant to be injected into Facebook web pages as it tries to fool a user into installing an Android application.

When logging into Facebook from a computer infected with Qadars, a user will see a rogue message informing him that "due to a rising number of attempts in order to gain unlawful access to the personal information of our users and to prevent corrupted page data to spread Facebook administration introduces new extra safety protection system."

This alleged protection system is presented as a mobile application that generates unique authentication codes that can be used instead of regular passwords. But in order to obtain the application, victims are asked to specify the OS of their mobile phone and their phone number. They are then directed to a page with a download link and a corresponding QR code.